Friday, February 29, 2008

beware of geeks baring grifts

[Kudos to]

ASUG.COM has an open discussion forum thread titled: "Security Influence Council"

Multiple posters from well known companies discuss their wish lists for improvements in security management. I'll paraphrase their ideas as best I can, shrouding their identities. ASUG.COM posts are "members-only" and Influence Councils often are subject to non-disclosure agreements, so I'm partly obfuscating here for effect. Members have exclusive access to SAP product management through channels designed to maximize the community voice of a large number of SAP customers.

The thread started in mid-October, just after SAP TechED 07 US concluded, with the potent question from G.C., "Have you noted flaws in the SAP security design? Do you have requests for enhancement?" It linked to the October 2007 ASUG BITI newsletter, which summarized recent Security Influence Council requests. While SAP responded to open requests at TechEd, the customer concerns persist.

Thread capsule summaries

[2] PD:
"Authorization Group" AKA field BGRU usage seems to be incredibly complex cannot find good documentation ... should be redesigned and simplified

[3] GL:

See : Executive Keynote
1 hr and ~38 minutes in, SAP acknowledges the wide variety of authorization concepts contributes to the burden and expense of [enterprise] security support.

*** Identity Management has the potential for managing users, but no impact on improving authorization/role management***

Holger Mack later spoke about simplifying documentation; fewer authorization concepts is desirable.

[4] SL: silent authorizations confusing. SAP said: "No attribute for identifying 'silent checks' in the trace file". Would like to see return code in trace file designating silent checks, and the checks not appear in SU53 as user errors.

[5] SG#1: SUIM reports should be 100% reliable.

[6] SG#2: SU53 is not 100% reliable; generic error that the S_CTS_ADM is missing with certain values. In all these cases, my analysis proved that the error shown is completely irrelevant to the error itself.

[7] LH: Job (role) based security in HR, with SAP focusing on Java development, where portal and Java gear toward user-based roles. Says Java is transparent, but ye editor thinks this means opaque...

[8] WM: Prior false starts ("Global User Manager") [leaves experienced admins leery of the latest product announcements]. SU24 CRM backend has never been accurately updated with auth objects that link to BSPs. "should sell our USOBT_C table to other CRM customers." ;-)
like one of those russian doll nightmares where I keep opening up one, and there is yet another small one inside.. =)

[9] JA: Identiy Management 7.0. The only training was in Germany when I looked in 2007. Now the training site says that training materials have not yet been developed. need more standalone classes solely dedicated to security for this new technology. (We have purchased the online training for NetWeaver, but that is a poor substitute for hands-on training).

[10] GM: would like to see a standard best practice process documented and supported by SAP that distributes SAP Security Business Application control to individuals in the business depts
many companies put too much on the shoulders of the technical security administrator and do not require enough hands on tasks for business owners, or delegated Super users for their departments.

[11] PR: struggling with the UME in NetWeaver since 2005 and haven't found a good way to trace what a user is doing other than to try to decipher the java logs themselves. Those are extremely cumbersome. The other way I have found is to look into the Visual Administrator.

What Else?


I am sure the author of this SAP SDN blog intended the complete opposite of what I think -- "Threats to the community - Government working with Business." Just as I think the founders of the U.S. were on the right track separating church from state, it is right to separate business from government, from lobbyists, to telecommunications corporations giving away our privacy without due cause, warrants or legal review. Not to mention outsourcing mercenary activities to the lowest bidders. Cause for concern in my opinion!


I read this blog and completely agree that different problems require different solutions. Follow up posters seem mainly to be from those interested in providing security solutions. Not so much noise from the harried security administrators who need to execute the goals.


An issue many software vendors gloss over is that customers may already have solutions in place, incompatible with the latest and greatest versions the account representative wants to unload. I don't know how may times I've had the pitch - "we bought (or developed, or whatever) this new solution to your problem". "But we already have a solution that works". "This one is better." Not cheaper, not faster, and rarely easier. It's just the product of the months. I usually ask, "will you pay to retrofit my customizations and configurations, train my users and staff the help desk for the first 90 days as part of this wonderful deal?" The answer never seems to be "no problem."

For SAP, I keep hitting this with Solution Manager. "Oh it has Change Control". Well, gosh, we've been using a third party change management system for years. I believe ChArM might be better, but where was it when we needed it?


I'm no security expert, but I know a few. What they tell me is that the SAP Identity Management product approach is geared towards provisioning users , not towards the real goal they own, which is asset protection. There are many products that SAP has acquired or developed outside the core functionality of R/3 (the "Enterprise Resource Planning" - remember what Enterprise means???) with completely foreign methods of managing access control. Other vendors provide similar tools (anyone not running Windows desktops in their Enterprise, with Active Directory, or another LDAP directory not from SAP?).

When your company merges with another, acquires or is acquired, what do you find? They've implemented security and identity management in a completely different way. During those times, it is good to be the acquirer, but only slightly, as all the remaining staff need to be re-provisioned in order to gain those fabled synergies the folks in shiny shoes promised.


ASUG Webcast: Central User Management with Windows Active Directory

WAS HELD FEB 7, 2008


Learn how to simplify user management

Understand how the J2EE engine accesses LDAP data

Understand the LDAP synchronization tools for ABAP provided by SAP


Tobias Waldvogel, SecurIntegration GmbH. Tobias is an SAP Security Consultant employed by SecurIntegration GmbH, a leading company in SAP Security.


I Don't Want Identity Management, I Want Identity Theft Protection, Or Insurance.

{other than the folks I liberally quoted from above, all opines are mine alone}
Steve Wallach ... coined the phrase, "I'm not puttin' a bag on the side of the Eclipse."

This blog was inspired by Gali, who claims to believe that I can write about any topic. I got an extra day this month but almost missed.

No comments: